How to upgrade VIP | Microsoft ADFS Two-factor authentication plugin
Last Updated April 13, 2016
Two-factor authentication fails with a VIP service exception.
For greater security, the VIP Authentication Service End-Point has been updated with a new certificate hierarchy. This error occurs if the old hierarchy is used, causing AD FS authentication failures due to the certificate mismatch. (For more information, please refer to the following KB article: https://support.symantec.com/en_US/article.INFO3527.html)
On the ADFS server, navigate to the ADFS Installation folder (C:\Program Files\Symantec\ADFS3)
If IIS and ADFS 3.0 are hosted on the same Windows 2012 R2 server, locate and create a backup of the following folders: JScripts, vipssp, vipssphelper folder. If IIS is on a different host, skip this step.
Take note of the VIP User ID configured in the ADFS 3.0 plug-in -- this same User ID must be used during the AD FS plugin re-configuration.
Uninstall the ADFS Plug-in (Refer to the ADFS Partner Intergration Guide PDF available from VIP Manager, Chapter 5). Do not uninstall the vipssp or vipssphelper applications.
Download the latest AD FS 3.0 plug-in from VIP Manager. (VIP Manager>Account>Download Files>Third Party Integrations)
Install and configure AD FS Plug-in (Refer to the ADFS Partner Intergration Guide PDF available from VIP Manager, Chapter 2) using the same VIP User ID noted in step 3.
If the ADFS plug-in is installed and configured in a multi-server deployment (like an ADFS server firm), the secondary ADFS server will show the Windows Account Name as the VIP User ID by default. However, The VIP User ID attribute cannot be modified, as the user id configured in the primary ADFS server will take effect.
There is no need to re-configure IIS if it’s hosted on a different host. If IIS is on the same ADFS server, replace the folders copied in step 2 to the ADFS installation folder ((C:\Program Files\Symantec\ADFS3)
Note: If your organization cannot immediately install the latest AD FS plug-in, certificate pinning can be temporarily disabled until such time the new AD FS plug-in can be installed. If you plan on installing the AD FS plug-in, please ignore the following steps.